Archive for the ‘HIPAA’ Category

A 2018 roadmap to healthcare compliance should focus on cybersecurity, vendor management and telehealth.

As the year winds down, we see numerous lists of priorities healthcare organizations should focus on in the coming year. However, if you are looking to those end-of-year lists for guidance on what your organization should pay attention to in 2018, you are already behind. If you do find yourself playing catch-up, drafting your 2018 compliance work plan is the best place to start.

As the roadmap for your compliance efforts throughout the year, your annual work plan should indicate key high-risk areas. The Office of Inspector General (OIG) of the Department of Health & Human Services (HHS) has indicated that developing an annual compliance work plan is integral to the administration of an effective compliance program (Measuring Compliance Program Effectiveness – A Resource Guide).

The annual work plan and compliance program administration are but one portion of what is required for an organization to have a robust and effective compliance program. The required elements of a compliance program are the following:

Standards, Policies and Procedures;

Compliance Program Administration;

Screening and Evaluation of Employees, Physicians, Vendors and Other Agents;

Communication, Education and Training;

Monitoring, Auditing and Internal Reporting Systems;

Discipline for Non-Compliance; and

Investigations and Remedial Measures.

These elements provide a broad framework for your organization to identify risk, proactively remediate and provide a response mechanism to mitigate when there is an exposure. Working the plan and program throughout the year helps your organization achieve a state of ongoing readiness.

Cybersecurity

Cybersecurity is one item that will likely factor more heavily in your work plan, and appropriately so. Last June, the HHS Health Care Industry Cybersecurity Task Force released a report on improving cybersecurity in the industry. The Task Force concluded that cybersecurity, at its core, is a patient safety issue and a “public health concern that needs immediate and aggressive attention.”

Some of the areas to address in the broader realm of cybersecurity include:

Ransomware;

Email security, including phishing;

Internet of Things (IoT) and devices;

Bring your own device (BYOD); and

Medical identity theft.

As the Task Force report notes, cybersecurity must be thought about across the continuum of care in your organization. Work to shift the culture and thinking that cybersecurity is simply a technology issue, of concern only to the IT department.

Do this by implementing policies and procedures for key cybersecurity issues and then communicating them across the organization. Follow that with training, including everyone in your organization, from staff to board members. The training should: define cybersecurity; explain how it may manifest in the organization, and address your policies and procedures, making it evident to all what they can and cannot do and how to respond.

Third-Party Vendor Management

The outsourcing of services to third-party vendors is increasingly common and for good reason. Such relationships offer great benefits, but at the same time, these relationships also carry legal, financial, reputational and compliance-related risks. Here are seven questions to evaluate your third-party vendor relationships:

Does your organization, as a covered entity (CE) under HIPAA, have a vendor compliance program to help you identify, manage and report on these risks?

Do you review and assess your vendors’ risk profile?

Are you familiar with each vendor’s hiring practices?

Do you know which vendors’ products connect to other IT systems that contain critical data, including protected health information (PHI)?

Do you have insight into each vendor’s information security and data privacy capabilities?

Do you know with which vendors you have a business associate agreement (BAA)?

For many healthcare organizations, the answer to several of these questions is likely “no,” which creates risk for those organizations. The OIG’s position is clear: healthcare entities have a responsibility to proactively identify, assess and manage the risks associated with their vendor relationships.

All vendors are NOT created equal. A good starting point in managing an effective and efficient third-party compliance program is to perform a risk-ranking of vendors based on their access to critical assets or information. By segmenting your vendor population into “risk tiers” you can focus limited resources on the most serious exposures.

Components of third-party compliance assessment should include, among other things:

Due diligence (background, reputation, strategy);

Knowledge of, and compliance with, security and privacy requirements;

Operations and internal controls (policies and procedures);

Workforce controls, background and exclusion checks; and

Training and education.

And, of course, with every vendor that meets the criteria of a Business Associate, ensure that a written BAA is in place. BAAs can be complex and are often daunting, but they must be carefully negotiated and acknowledged by both parties.

By ensuring your vendors have strong compliance programs in place and that they are following through on the BAA requirements, your organization is meeting its compliance obligations and doing its best to minimize its risks.

Telehealth

The compliance concerns related to the delivery of care via telehealth are numerous and include the following:

Licensing;

Credentialing;

Security;

Regulatory requirements for billing; and

Fraud and abuse.

An area to focus some attention on is payment under federal healthcare programs. The OIG currently has two active work items on telehealth, one for Medicaid and one for Medicare. Both of the items relate to the propriety of payment for telehealth services.

If your organization provides telehealth services, consider conducting a risk assessment to determine if you have any exposure in the area. Risk assessments are not strictly one of the 7 required elements of a compliance program, but they are often referred to as the “8th Element” given the focus on them in the Federal Sentencing Guidelines and OIG documents.
Risk assessments, along with the other elements of a compliance program, provide your organization the means to identify, prioritize, remediate and/or mitigate the myriad on-going risks it will encounter. If you are not working your compliance program and specific risk areas throughout the year, you are failing to adequately prepare for an event. By failing to prepare, as one wise man said, you are preparing to fail.

About the Authors: Tim Feldman is Vice President and General Manager of Healthcare Compliance & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. He oversees product development across a vast suite of practice tools and workflow solutions to help professionals stay ahead of regulatory developments and effectively manage compliance activities. Darci L. Friedman, JD, CHPC, CSPO, PMC-III, is the Director of Content Strategy & Author Acquisitions for Healthcare Compliance, Coding & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. She is responsible for supporting the overall strategy for developing new content and features, innovating new product models, and recruiting top content contributors.

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.

Patients need to understand the information security protections by their healthcare providers, according to a new infographic by ISACA.

The infographic outlines a few questions that patients can ask of their providers to ensure that those organizations are applying
appropriate and diligent stewardship of the data that they hold in trust.

UnityPoint Health has moved from a siloed approach to improving the patient experience at each of its locations to a system-wide approach that encompasses a consistent, baseline experience while still allowing for each institution to address its specific needs.

Armed with data from its Press Ganey and CAHPS® Hospital Survey scores, UnityPoint’s patient experience team developed a front-line staff-driven improvement action plan.

Telehealth is one of the fastest growing and developing areas of healthcare today. With this rapid growth come many questions and concerns that arise when legal and regulatory schemes are not able to keep up with the pace of development. One such concern is the legal and regulatory issues relating to the privacy and security of telehealth services. Telehealth services can be provided securely, but specific attention must be paid to information and application security in order to protect patient privacy and comply with laws such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Healthcare provider executives who currently offer, or are considering offering, telehealth services to their patients should give attention and appropriate resources to the following areas in order to maximize the organization’s security posture and operational efficiencies.

Arrangement Structure

One of the primary decisions for a healthcare provider organization to make with any telehealth arrangement is whether the organization will provide the telehealth services itself or in collaboration with a third party. Many considerations will be part of this decision, but information privacy and security should be one of them. An organization should only consider providing telehealth services on its own if it can dedicate sufficient resources and personnel to establishing and maintaining the secure transmission and storage of patient information. Only an organization with a competent and established information technology staff should consider providing telehealth services in this manner.

If an organization chooses instead to collaborate with a third party to provide telehealth services, there are several third parties with whom the organization can collaborate to provide those services securely. Those third parties can provide anything from equipment only to a full range of services, including digital infrastructure and professional physician services. When a third party is involved, the organization must also consider how to structure the arrangement for purposes of HIPAA, including determining whether the third party will be a business associate of the organization or whether the organization and the third party will function as a single Organized Health Care Arrangement (“OHCA”) under HIPAA. These decisions will impact how information flows between the parties and who is responsible for securing that information.

Contractual Protections

Responsibility for securing information where the provider organization collaborates with a third party will be governed by the operative agreements between the parties, including the Business Associate Agreement, where applicable. Provider organizations should be sure that the agreements detail the third party’s security-related obligations and establish the third party’s responsibility for failing to meet those obligations. The operative agreements also should contain sufficient representations and warranties of the third party’s security posture, including the technical specifications that the third party will implement in order to safeguard patient information. Equally important is making sure that the operative agreements include sufficient assurances that patient information will be accessible to the appropriate healthcare provider.

Technical Specifications

Telehealth arrangements will differ in the precise technical specifications that the parties implement to safeguard patient information. However, certain technical specifications are broadly applicable and can significantly reduce security risks. One example of such a specification is the use of encryption technology. Encrypting patient information, both while stored on computer systems and during transmission between systems, is an effective means of safeguarding the information from unauthorized third parties and preventing breaches from occurring. Another such specification is authentication of the participants in a telehealth encounter, the clinicians and patients themselves. It is important that technological measures are implemented to ensure the identity of both the clinicians and patients so that all parties can have confidence that the individuals involved in the encounter are actually who they appear to be. Provider organizations should strongly consider implementing such technologies in any telehealth services arrangement.

Security Awareness

Even the best technical safeguards can be compromised by human error, so it is imperative that effective security awareness training be provided both to workforce members as well as patients. Workforce members who participate in telehealth services arrangements must be made aware of their obligations to protect the privacy and security of patient information under their organization’s policies and procedures and be sanctioned when a violation occurs. Likewise, patients should be provided with information about the security risks present in telehealth arrangements and advised of the steps they can take to mitigate those risks.

Security Risk Analysis

Provider organizations are required under HIPAA to periodically perform an enterprise-wide security risk analysis and to take steps to remediate any risks that are identified. The failure to do so can result in substantial fines and penalties to a provider organization. An enterprise-wide risk analysis considers not only the electronic health record but also any system or equipment that contains electronic patient information, which would include equipment and systems utilized in providing telehealth services. Accordingly, provider organizations should be sure to include telehealth systems in their risk analysis, including those utilized by a third party service and to address any identified risks and vulnerabilities in a timely fashion.

This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact Ammon Fillmore at (317) 977-1492 or afillmore@hallrender.com or Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com.

About the Authors: Ammon Fillmore and Mark Swearingen are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest healthcare-focused law firm in the country. Please visit the Hall Render Blog for more information on topics related to healthcare law.

Mark Swearingen

Ammon Fillmore

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.

Data breaches in the healthcare industry are increasing every year at an alarming rate, according to a new infographic by Kays Harbor.

In 2016, there were a total of 326 breach incidents, according to the United States Office of Civil Rights. The number of breach incidents is increasing despite awareness, HIPAA regulations, guidelines and strict measures to protect patient privacy.

The infographic drills down on the breaches that occurred in 2016 and how to minimize the risk of a breach this year.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

Communication with current and potential patients is pivotal to maintaining and growing your practice, but your practice must ensure that you are compliant in all of your communication points with HIPAA, FDA and FTC rules, according to a new infographic by Response Mine.

The infographic touches on all points of patient communication—from digital advertising and marketing to scheduling appointments and patient reminders—to help practices protect patient information and stay compliant.

Intermountain Healthcare’s strategic six-point patient engagement framework not only has transformed patient care delivered by the Salt Lake City-based organization but also has fostered an attitude of shared accountability throughout the not-for-profit health system.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

Data loss from U.S. hospitals, urgent care centers, dental practices and clinics is reaching epidemic proportions, according to a new infographic from safetica. Last year the confidential records of one-in-three healthcare patients in the United States were compromised. But what are the costs and causes of data breaches—and how can they be prevented?

The infographic examines the impact of data breaches, the cost of a data breach and a checklist to compare your organization’s data security practices against recent HIPAA case law.

The 2016 Healthcare Benchmarks: Data Analytics and Integration assembles hundreds of metrics on data analytics and integration from hospitals, health plans, physician practices and other responding organizations, charting the impact of data analytics on population health management, health outcomes, utilization and cost.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

The healthcare industry is under pressure to advance its use of technology to control costs, digitize patient information and streamline operations. But with significant increases in cyber attacks and the sensitive nature of healthcare data, security is a growing concern, according to a new infographic by ESET.

The infographic examines: which threats healthcare organizations fear most; how healthcare breaches affect consumer behavior; and what security solutions are most effective.

Covered Entity Manual is a template-style download manual that can be easily adapted to align with your compliance needs as a covered entity. All content complies with the Omnibus Rule.

Covered Entity-Specific Manual provides you with a generic, comprehensive set of policies and procedures: 33 privacy policies; 30 security policies; 6 policies that address common requirements of both the privacy and security rules; 1 breach notification policy; and 12 forms and templates, including a notice of privacy practices.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Physical safeguards are set of rules and guidelines that outline how the physical storage and access to protected health information should be managed under HIPAA security rules, according to a new infographic by Vigyanix.

The infographic details the Physical Safeguard requirements for facility access controls, workstation use and security and device and media control.

Business Associate Manual is a template-style manual that can be easily adapted to align with your compliance needs as a business associate (BA). All content complies with the Omnibus Rule.

The healthcare industry has become a high-profile target for cyber criminals. For the first half of 2015, healthcare ranked #1 in terms of notable incidents of records compromised, with nearly 34 percent of all records compromised across all industries, according to a new infographic by IBM.

The infographic looks at the impact of healthcare data breaches and why healthcare data is so valuable.

Business Associate Manual is a template-style manual that can be easily adapted to align with your compliance needs as a business associate (BA). All content complies with the Omnibus Rule.

HIPAA data breaches are rising, according to research conducted by Privacy Analytics Inc. for a new infographic, HIPAA Breaches 2009-2015.

Culling data from the Office of Civil Rights, Privacy Analytics found over 1,286 reported incidents affecting 153 million individuals at the time of publication. The largest breach was earlier this year from Anthem Insurance, reporting over 78 million records being breached. According to the Guide to the De-identification of Personal Health Information, the costs incurred for a breach – including notification, legal fines, legal fees, forensics, PR and more – is approximately $208 per person. The average data breach was over 100,000 records and cost $24 million. States with the highest number of individual records breached were Indiana, California and Washington State.

The infographic looks at breaches by type, the need for more HIPAA organizational knowledge and training and new data privacy and security challenges as the use of secondary health data grows.

Download this FREE report for data on the top clinical targets of healthcare case managers; the top means of identifying and stratifying individuals for case management; and the most common locations of embedded or colocated case managers.